Orbiq LogoOrbiq
Trust Center Data Sovereignty: EU Hosting vs. EU Sovereignty
2026-02-22
By Anna Bley

Trust Center Data Sovereignty: EU Hosting vs. EU Sovereignty

Your trust center contains penetration test reports, security architecture details, and compliance evidence. "EU hosted" doesn't mean what you think it means.

Trust Center
Data Sovereignty
CLOUD Act
GDPR

Most US trust center platforms now offer EU hosting. The checkbox exists. The data center is in Frankfurt or Dublin. Your procurement team sees "EU hosted" and moves on.

But data residency and data sovereignty are not the same thing. And for a trust center specifically — a platform that stores and shares your most sensitive security documentation — the distinction is commercially and legally consequential.

The Distinction

Data residency means your data is physically stored in the EU. The servers are in European data centres. The bits live on European soil.

Data sovereignty means your data is subject to European legal jurisdiction — and only European legal jurisdiction. No foreign government can compel the vendor to hand over your data under their own domestic law.

You can have residency without sovereignty. A US-incorporated company operating EU data centres provides residency. But as a US legal entity, it remains subject to US law — including the CLOUD Act.

You cannot have sovereignty without residency. But residency alone is not enough.

Why This Matters More for Trust Centers

Every SaaS tool faces the residency-vs-sovereignty question. But for most categories — project management, CRM, communication — the data sensitivity is moderate. The practical risk of a CLOUD Act request targeting your Jira tickets is low.

Trust centers are different. By design, they contain the most sensitive documentation about your security posture:

  • Penetration test reports detailing vulnerabilities and remediation status
  • Security architecture documentation describing your infrastructure
  • Compliance evidence including audit reports, control assessments, and certification scopes
  • Subprocessor lists with data flows and processing locations
  • Incident response documentation including post-incident analyses
  • Internal policy summaries that reveal your security programme's structure

This is precisely the kind of information that makes the sovereignty question operationally relevant, not theoretical. If a foreign government can legally compel access to your trust center data, they can access a structured, current, comprehensive view of your security posture — something that would normally require a significant intelligence effort to compile.

The CLOUD Act Problem

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018) gives US law enforcement the authority to compel US-incorporated companies to produce data in their possession, custody, or control — regardless of where that data is physically stored.

This creates a direct conflict with GDPR. Article 48 states that any transfer of personal data to a third country authority on the basis of a foreign court or administrative order shall only be recognised or enforceable if based on an international agreement. The CLOUD Act is not based on such an agreement.

The vendor is caught between two legal systems:

  • US law says: Hand over the data when presented with a valid legal order.
  • EU law says: Don't hand over the data unless the request goes through proper mutual legal assistance channels.

For your trust center, this creates a practical problem: your most sensitive security documentation is stored on a platform where a foreign government has a legal mechanism to demand access, regardless of where the data physically sits.

"But This Has Never Happened to a Trust Center"

That's probably true. CLOUD Act requests have targeted communications, financial data, and criminal evidence — not trust center platforms. But the legal mechanism exists, and the compliance exposure is real.

More importantly, this is already a procurement factor. European enterprise buyers — especially in regulated sectors — include CLOUD Act exposure in their vendor risk assessments. If your trust center platform creates CLOUD Act risk, that risk flows to every customer who relies on your trust center for their own supply chain compliance.

It's not about whether a request will happen. It's about whether the structural risk exists and whether your customers' compliance teams will flag it.

What "EU Hosted" Actually Means With US Vendors

US trust center platforms typically offer EU hosting through one of these configurations:

EU Data Centre Region

The vendor operates (or rents) servers in EU data centres. Your data at rest is in the EU. This is genuine data residency.

But the vendor's corporate entity — the legal person that controls the infrastructure, employs the engineers, and responds to legal orders — is in the US. The CLOUD Act follows the corporate entity, not the data.

EU-Specific Instance

Some vendors offer a separate EU instance — sometimes with a separate domain, separate support team, or separate operational boundaries. This is a stronger posture than a simple region selection.

But if the EU instance is operated by a subsidiary of a US parent company, the CLOUD Act can reach the parent. And if the support, engineering, or operational teams are shared across US and EU instances, the practical separation may be less robust than the marketing suggests.

Enterprise-Tier EU Hosting

Many US vendors offer EU hosting only at enterprise pricing tiers. This means:

  • Start-ups and mid-market companies default to US hosting
  • EU hosting is an upsell, not a default
  • The company's architecture wasn't designed EU-first; EU hosting was added later

For the trust center market specifically, this creates an ironic dynamic: the companies most affected by NIS2 (the long tail of important entities, many of them mid-market) are the ones least likely to access EU hosting features.

What True Data Sovereignty Requires

For a trust center to offer genuine data sovereignty, it needs more than a data centre in the EU.

EU Corporate Structure

The vendor must be incorporated in an EU member state — not as a subsidiary of a US parent, but as an entity whose ultimate legal obligations are to European authorities. This is the only structural defence against extraterritorial data access laws.

EU Infrastructure by Default

EU hosting should be the default configuration, not an enterprise upsell. If you have to negotiate or pay extra for EU hosting, the platform wasn't designed for EU sovereignty — it was designed for US operations with EU as a secondary market.

Operational Sovereignty

Support interactions, log processing, analytics, and operational data should all remain within EU jurisdiction. A platform that stores your trust center content in the EU but processes operational data in the US has a sovereignty gap.

Subprocessor Chain Sovereignty

The vendor's subprocessors matter too. If the trust center platform uses US-based analytics, monitoring, or infrastructure services, those subprocessors may create CLOUD Act exposure even if the primary vendor is EU-based. A genuinely sovereign trust center operates with an EU subprocessor chain.

How to Evaluate Sovereignty in Practice

When assessing a trust center platform's sovereignty posture, ask these questions:

Corporate structure: Where is the vendor incorporated? Is there a US parent, holding company, or majority investor that creates US legal exposure?

Hosting default: Is EU hosting the default for all customers, or is it an enterprise-tier feature? What happens if you start on a lower tier — does your data default to US hosting?

Operational data: Where are logs, analytics, support tickets, and operational metadata processed? Is this covered by the same EU hosting commitment as the trust center content itself?

Subprocessors: Who are the vendor's subprocessors? Where are they incorporated and where do they process data? Is the subprocessor list public, or do you need to sign an NDA to see it?

Incident response: If a foreign government makes a data access request, what is the vendor's documented process? Have they published a transparency report?

Contractual terms: Does the DPA explicitly address CLOUD Act risk? Does the vendor commit to challenging extraterritorial requests?

The Procurement Reality

This isn't an abstract legal debate. It's a procurement factor that's becoming more consequential every year.

Under NIS2, essential and important entities must address supply chain security. Their vendor risk assessments increasingly include data sovereignty evaluation — not just "where is the data" but "who can legally access it."

Under DORA, financial entities must evaluate ICT third-party risk including the legal and regulatory environment of the provider's jurisdiction. A trust center on US-controlled infrastructure creates a risk factor that financial entities must document and justify.

European DPOs, CISOs, and procurement teams are asking these questions. They're including sovereignty criteria in RFPs. They're flagging CLOUD Act exposure in vendor risk registers.

If your trust center creates this exposure for your customers, it becomes their compliance problem. And compliance problems don't accelerate deals — they stall them.

Sources

  1. US CLOUD Act (H.R. 4943) — Extraterritorial data access provisions.
  2. GDPR Article 48 — Transfers not authorised by Union law.
  3. GDPR Article 28 — Processor obligations and subprocessor transparency.
  4. Directive (EU) 2022/2555 (NIS2) — Supply chain security obligations.
  5. Regulation (EU) 2022/2554 (DORA) — ICT third-party risk management, including jurisdiction assessment.
  6. Schrems II (Case C-311/18) — CJEU ruling invalidating Privacy Shield, establishing higher bar for international data transfers.

Related Reading